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A method and a|^>aiatus for gener* 
ating a message authentication code (mac) 
or integrity chedc value (icv) for a digi- 
tal message id be transmitted by way of 
a telecommunicadons medium. Modular 
aritfametic to a prime modulus is utilised to 
combine message data and pseudo-random 
cipher data so as to produce a mac or icv 
which has a cxyptograpiiic strength compa- 
rable to that of the source of cipher data. 
Tbe method for generating the mac can 
be performed ileratively, this being suit- 
able for use with stream cipher enoyption 
methods. 
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A MKraOD AND APPARATUS FOR GENERATING A DIGITAL MESSAGE 

AUTHENTICATION CODE 



5 This invention relates to a method and apparatus for generating a digital message 

authentication code. 

In digital communication systems, such as broadband integrated systems digital 
networks (B-ISDN) it is often desirable to prevoit the meaning of digital messages 

10 transmitted thereon from being intercepted and/or interfered with by an unauthorised 
person. For this reason, digital messages are often encrypted or enciphered such that a 
person intercq>ting the transmitted message is unable to ascertain its meaning* Therefore, 
at the sending site on the network a plain text message is, under control of an endphering 
key, transformed into cipher text whidi is preferably unintelligible to anyone not havmg 

IS the secret deciphering key. At the legitimate receiving site on the network, die cipher 
text is, under control of the secret deciphering key, retransformed into die original plain 
text message. Cryptographic systems which operate in this way are commonly classified 
into block dphera and stream dphera. 

20 Stream dphers act by dividing the plain text into characters, each of which is 

endphered utilising a time varying ftmction whose time dependency is governed by the 
internal state of the stream cipher. The time varying function is produced by a dpher 
stresim geiierator, whidi generates a digital dpher stream in accordance with key data 
which is kept semt. The dpher stream generator is constracted sudi that die dpher 

25 stream produced is a pseudo random bit stream which is ^dic, but has a period which 
is much greater than the length of key data provided. In a stream dpher, after each 
character is endphered, the device dianges state according to a rule, such that two 
occurrences of the same diaracter in the plain text message will usually not result in the 
same dpher text character. 

30 

The security or strength of a stream dpher depends on the "randomness" of the 
generated dpher stream. Assuming an interceptor has knowledge of the plain text 
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message» fuU access to the nmning. cipher stream may also be deduced. For the ^trai 
to be secure, the cipher stream must be unpredictable: regardless of the number of dpha 
stream digits observed, the subsequent cipher stream digits must not be more easily 
predictable than by just randomly guessing them. An enciphering system such as this 
5 ensures that an unauthorised person is unable to determine the meaning of an intracepted 
message, but does not address the issue of interference with the message de^ite its 
meaning being unknown. For example, a portion of a transmitted message may be 
intercepted altered or replaced with another message portion even if the interceptor is 
unable to ascertain the deciphered meaning of the original, altered or replaced messagp 
10 portion. 

The immunity of a system to unauthorised and . undetected alteration of a 
transmitted message is referred to as the integrity of the system, integrity is a factor 
which is not often considered in relation to stream dphm. A message authratication 
15 code (mac), or integrity chedc value (icv) determined fixxm the content of the plain text 
message, may be transmitted with the cipher text to enable the receiver to determine 
whether the received dedphered plain text corresponds with the plain text miginally 
transmitted, i.e. wheth^ the cipher text has been altered during transmission. Hie 
message deciphering and authentication process involves the receiver having access to a 

20 cipher stream coiiesponding to the cipher stream with which the message was enciphered. 
Then, upon receiving the message the receiver can decipher it and goierate a mac from 
the deciphered plain text message. A comparison of the received mac and the mac 
generated by the receiver can then be used as an indication of whether the transmitted 
mac or message has been altered in transit, since the mac generated by the receiver 

25 shcMild be the same as the mac generated at the transmitter. However, in certain 
cryptographic systems it may be possible for a cryptanalyst to alter both the cipher text 
message and the enciphered mac in such a way that the change is not apparent to the 
receiver, even though the cryptanalyst is unable to determine the meaning of the dphcr 
text which has been altered. Thmfore, it is also advantageous fDr cryptographic ^tems 

30 to provide an integrity checking <nr authratication process which prevents such alterations 
during transmission from taking place without detection. 
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A p^r eiititled ''A Fast Cryptographic Checksum Algorithm Based on Stream 
Qphcis" (X- Lai, R. Rcuppel, J. Woollven; AUSCRYPT *92 Abstracts; pp 8-7 to 8-11) 
describes a cryptographic chedcsum algorithm for producing a message authentication 
code with a stream cipher system. Hie checksum algorithm presented involves 
5 demultiplexing the message stream into two subsequences according to the binary state 
of the dpha stream. The two subsequences are input to respective accumulating 
feedback shift registers^ the outputs of which serve as a pair of message authentication 
codes. Hie dbiedcsum algorithm is easily implemrated, regardless of the cipher stream 
generator stracture. However, the cryptographic checksum algorithm is flawed in so far 
10 as the alteration of a single digit in the message stream only requires the alteration of a 
single digit in the message authentication code to obtain the correct mac value. 
Consequently, certain alterations can be made to the message with a high probability of 
also obtaining the correct message authentication code. 

IS A further integrity checking system is described in International Patent Application 

No. PCT/AU93/D0687 entitled "A method and apparatus for generating a cipher stream". 
Tbe algorithms described therein for generating message authentication codes, however, 
are dependrat upon the particular stmcture of the cipher stream generator. It would be 
preferable, therefore to provide an integrity checking mechanism for a stream cipher 

20 system which is independent from the method used for generating the stream cipher itselt 

In accordance with the present invention there is provided a method for goieratii^ 
a message authmtication code for a digital message in a telecommunications or computer 
system comprising: 
25 goierating a sequence of pseudo random cipher strings; and 

generating a message authentication code by performing modular arithmetic to a 
prime modulus induding multiplication of the digital message by a first said dpher string 
and addition of a second said dpher string. 

30 Frtferably, the message comprises a sequence of message units which are 

mult^lied by respective powers of said first dpher string in generating the mess^e 
authentication code. 
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Preferably, the message comprises a sequence of message blodks each comprising 
a said sequence of message units, each sequence of message units being multiplied by 
respective diffeient said first cipher strings and summed with said second cipher string 
to form the message authentication code. 

5 

In accordance with the present invention there is also provided a method for 
generating a message authentication code in a telecommunications or computer system 
for a digital messagp which comprises a sequence of message blocks each comprising a 
sequence of message units, including the steps o£ 
10 generating a sequence of pseudo random cipher strings; 

graerating a non-lmear function value for each message block by summing the 
constituent message units multipUed by respective values derived from said cipher string 
sequence; and 

generating the message authentication code by sunmiing the non-linear function 
15 values with a said cipher string sequence value to a prime modulus. 

Breferably the message units are multiplied by respective powers of a said cipher 
string sequence value. 

20 In accordance with the present invention there is also provided a method for 

generating a message authentication code in a telecommunications or computer systm 
for a digital message M which comprises a sequence of message units mj for j=0, 1, 
r, comprising the steps of: 

generating a sequence of pseudo random cipher strings z^i 

25 determining a non-linear function value f according to 

/(M^i) - E Wj^^r* imodp); aid 

generating the message authentication code Q modulus p, where p is prime, 
according to 
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<? » (/(M^ + (mod p) 

In accordance with the present invention there is also provided a method for 
generating a me^ge authentication code in a telecommunications or computer system 
for a digital message M which comprises a sequence of message units for j^O, U 
r, comprising the steps of: 
5 graeratxng a sequence of pseudo random cipher strings 

determining a non-linear function value f aocorduqg to 

r 

J(MjO = ]C Oood p); and 

generating the message authentication code Q modulus p, where p is prime, 
according to 

Q = WA#^) * z^^i) (modp) >^ 

10 In accordance with tiie present invention there is also (uovided a method for 

gmerating a messages autfientication code in a telecommunications or computer system 
for a digital message M whidi comprises a sequence of message blodcs for jsO, 1, 
s, each message block comprising a sequence of b message units mg^ for k=0, 1^ b-l» 
comprising the steps of: 

IS generating a sequence of cipher strings z^^i, z^f 2 • * * 

determining a non-linear function value f for each message block according to 

fiMp ni^ Zj (mod p); and 

Jf-O 

generating the message authentication code Q modulus p, where p is prime, 
according to 

<XM,«i) - (E >(M^ J + z,^,i) (mod p). 



20 



Preferably the message authentication code effective code size is increased by a 
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fiactor of h by generating a modified mess^ authentication code Q* aooordii^ to: 

.... I Q(Mjii^0,^x)M*^ (mod ^) 
where \ represents concatenation. 

The present invration further provides a method for racoding a digital message 
comprising generating a sequence of dpher strings^ generating a message authentication 
5 code according to a method desoribed above, enciphering the message by combining at 
least one said cipher string therewith, the at least one cipher string being distinct from 
the cipher strings utilised for generating the message authentication code, and apprading 
the message authentication code to the enciphered message. 

10 Hie invention also provides s^iparatus for generating a message authentication 

code for a digital message composed of a sequence of message blodos, comprising: 

a stream cipher for generating a sequence of pseudo-xandom cipher string$; and 
computaticm means for generating a non-linear fonction value for each message 
block by combining eadi message block with at least one said cipher string by way of 
IS modular arithmetic to a imme modulus, and generating a message authentication code by 
summing the non-linear fonction values together with at least one forther said cipher 
string. 

Ftrfoxed embodiments of the invention are described in detail hereinafter, by way 
20 of example only, with reference to the accompanying drawings, wherein: 

Figure 1 is a flow chart of a preferred algorithm for generating a message 
authentication code; and 

Figure 2 is a block diagram of a system for encoding digital messages for 
transmission by way of a teleconununications path. 

25 

An effective cipher stream generator utilises secret key data to produce an output 
consisting of a pseudo random bit stream Z. The cipher stream Z is typically used to 
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enaypt a stream of message data by logically combining the cipher stream and the 
message stream. Since the cipher stream is continuously changing, a particular bit 
sequence repeated in the message stream will be encrypted differently each time, 
depending on the state of the cipher stream. It is therefore advantageous to exploit the 
5 time dependence randomness of the cipher stream not only for cfncryption of the message, 
but also to ensure that the integrity of the message is not compromised. Hiroughout the 
following description the terms message authenticity and message integrity are used 
interdiangpably to refer to the condition of a digital message reaching its destination 
unaltered or, if altered, the altoation being detectable at the destination. In particular, 

10 the terms message authentication code (mac) and integrity check value (icv) are used 
intercbangpably throughout the specification to denote a numerical value generated from 
the immerical value of a message which may be utilised to determine whether the 
message itself has been altered before readiing its destination. Furdiennore, in the 
following for integers t and u we shall write t[u] to represent the unique podtive integer 

15 satisfying: 

l[tt] B f(mod u) and 0^<(if]is(if-l) 

Consider a stream cipher with output Z = (zq, z^, 2^ ...) where each output 1^ is 
a word of w bits (typically w = 16 or 32), such that each has a value from 0 to 2^-1. 
It is assiuned that Z is ui^redictable in the sense that from any part of the Z stream it 

20 should be difficult to predict (either exactly or with high probability) what another part 
of the Z stream was or will be. The ou^t of the ciphtf stream may be used to provide 
messagp integrity by the constmction of an integrity check value (icv) that is generated 
from the message and appended thereto. A non-linear combination of the message and 
the stream cipher output is utilised to prevent an attacker from modifying the message 

75 and detomining the necessary modification to g^ierate a valid icv. Mme power modular 
arithmetic is also used in genoatmg the icv, which ensures that the values of the icv are 
uniformly distributed and minimal in number for a given message value. Tlie simplest 
icv can thus be calculated as follows, for a single message unit m^* sudi as a message 
word, and a prime modulus p: 



30 
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Extendiiig this to genoate a single icv for two message units yields: 

The prefiened implementation of the integrity chedc value generation, however, 
involves goierating a single icv for a message which consists of a sequooce of message 
5 blocks each comprising a sequence of message integer units. 

The procedure for geneiatiiig tiie icv is as fbllows: 
Select a message block length b and prime number p = T'+k (k small). Let a message 
string M B (mo, m,,...), of integers betwem 0 and 2*-l be partitioned into bloda Mg, 
Ml,..., M, each containing at most b integers so tiiat: 

10 

^1 = m^j, m^j^,,..., mfc(^i).i, j = 0, 1^.^ s-l 
M, s m^ m^],..., for some t s b— 1 

15 Use the stream cipher to generate s+2 outputs zj, z^a,"', 2«m«i- The icv is calculated 
as: 

'(m^^fiM^, 2*^+Wi)CpL (1) 

where for any messa^ string N s (n^ n,,..., n^ and integer X, 
Jiff^) = (...((iv+«,)!c+nj)x+...+»^ x{p} 
- (lyt' + "i*^* + lyc^* + .... (p] 

The following example illustrates the procedure for generation of an icv for transmission 
with a message, such as ovet a telecommunications network. 

20 

Example 1: Let w = 32, p = 2»+15, d = 10, b = 20. Let tiie cipher be hi state 56 (tiie 
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last output pnxluced being 7^). Ixt M = (mo» mj,..., xniog) be a message string of length 
109 that lequiies integrity. M is divided into blocks Mq, Mj,..., M4 of length 20 where 
H = (m^f maoifiv.., M2a*i9)» i = 0. 4, and one block of 9 integers = (m^^ 
mioif..., miQg). Hie cipher is used to generate 7 outputs Zj^, %7» Zsg,..., and the 
S integrity check value is calculated according to (1) and (2). 

iaiM, 20, 2**+15, z^, z^,..., 
The transmitted message is then 

As mentioned above, the strragth of the mess^e integrity or authentication checking 
system is prefierably of the same order as the strength of the accompanying mcryption 
system, bi other words, the probability that an attadcer is able to alter a message 
10 undetected should be comparable to the i»obability of the attacker successfully 
deciphering the message. Ttc following Theorem and Corollaries establish a clear link 
between the strength of the integrity medianism and the strength of the stream cipher 
firom which it is constmcted. 

15 Theorem: Let p = 2^+k, and the function f be defined by (2). Let M and M* be any two 
unequal message strings of length b, and y any fixed integer. Tlien if x is a uniformly 
distributed random variable in the range 0 to 2^-1, 

2^ 

Proof: Let M = (mo> mi,..., m^O and M* = (m'o, m\,..., mVi)* By expanding (2) 
XAf^)-:/(Af^^)«((i^o - m'^^Hm^ - in'i)x*^»+...+(jn^.j - ne^iy^Xmod p). 

Thus 

fiM^) -AM^jc) s y(modp) 



20 



if and only if 

By a standard result of elementary number theory (see, for example, pS8 of Ivan Niven 
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and H.S. Zuckennan, Ihe Theory of Numbers (fourth edition), John Wiley and Sons, 
1980) such an equivalence has at most b solutions for x, from which the lesult follows. 

Corollary 1 is an immediate consequence of this theorem. 

5 

Corollary 1: Let M and M* be any two unequal message strii^ and y ai^ fi^eH 
integer. Let the fimction icvQ be defined as in (1) and (2). Then if zj, 2^,,, z^^ are 
indqiendent and unifonnly distributed random variables in flie range 0 to 2 ^-1, 

ProbabilitylicvCM, ft. p, z,^,,..., z,^^,) 

-icv(M', ft, P» Zp zj^,^-, ^^,) B >(modp)]^-^ 

2" 

Corollary 2 indicates the strength of tiie integrity medianism in tenns of the likdihood 
10 of lepladng, in tcan^t, a message and the oorre^ondii^ icv with a legithnate, but 
diSeren^ mess«ge-icv pair. 

Condlaiy 2: Let M and M" be any two unequal message striqgs. and y, g any fixed 
integers. Let the fimction icvQ be defined as m (1) and (2). Hien if ^ 2^^,, ^j,..., 2i»^ 
1^ ^1 are independent and uniformly distributed random variables in the raiige 0 to 2^-1, 

Probability {ievQd', ft, />, zj^,) a >(mod 



I <cv(M, ft, p, Zp z^,^^,^ z,^,) ■ g(inod »]^-^ 

Froofi Expanding the left hand side of tiie inequality above, 
ProbabOitylUMM', ft, /», Zp Zj,,.--, Zj^,) = >(mod p) 

I jcKM. ft, Zp Zi^,^.., ^^,) B g(mod 



(3) 



However 
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« ProbabUityiieiKM, *. P, Zp «**»»i)-'cv(Af', b, p, Zp «,*,,..^^,) 
■ « - y(mod p) I <cv(Af, p, 2^^,,..^ «^^,) b ^mod p)]. 

is independent of Zi^fi wMe 

fcKW, fc, Zf, 2,^1,..., Zi^^j) = ^ (mod p) 

if and only if 

= Cff->CM;». W--->'^j. z^JKmodp). 

Thus the events described in the conditional piobability of (3) are independent and so. the 
left hand side of (3) is equal to 

PrtAdblUtj/iieyfiMt b, p, Zp z,^i,..^ z,^^i)-tev(lir, b, p, Zp Zf*s*V) 

- (g-yy^nod p)]. 

' . . * • . . . 

5 The xesult now follows by Corollary 1. 

Assume that the stream dph» produces output that are 
distributed random variables in the range 0 to 2^-1. It follows from Corollary 2 that if 
any message and its integrity check value were to be altered in transit (the message being 

10 altered in at least one bit position), the new message and integrity dieck value would 
register as valid by the receiver with probability at most Thus we refer to log^ 
(2^/b) as the effective icvsize. As an example, with a word size w of 32 bits and a block 
size b of 20 the resulting efGective icv size is spproximately 28. Note that the effective 
icv size indicates the strength of the integrity method used with an idealised stream cipher 

IS (with outputs that are uniformly distributed independent random variables). For this to 
be a meaningful indicator of integrity strength with a practical deterministic stream cipher 
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however, dearly the stream cipher key size must be at least as large as the effective icv 
size. In this case if there is some way of altering or substituting message-icv pairs that 
goes undetected with a probability of more than b/2^ then this implies some 
corresponding level of predicability in the stream cipher ou^ut. 

5 

Figure 1 illustrates a flow chart of the prefeired method of generating an integrity 
dieck value (icv) or message authentication code (mac). The flow chart 2 begins with 
an initialisation step 4 in which the icv and indices j and k are initialised such that icv 
s 0, j = 0 and k = i, where i is the initial state of the stream cipher with ou^ut z. In 
10 order to determine the icv for a given message according to equations (1) and (2), the 
flow chart 2 is stractured into a dual loop iterative process, wherein steps 6, 8» 12 and 
18 are used for the calculation of non linear function y (equation (2)) whilst steps 16, 20 
and 22 porftimi the steps necessary for the calculation of the icv according to equation 
(1). Step 6 acts as an initialisation step for the non linear fimction value y, such that the 
IS fiist iteration of steps 8 and 12 are effective to calculate the first term of equation (2) (ie: 
ilox). For each iteration of steps 8 and 12 successive integer values of the message are 
iiqnit from the message stream 10 and values of the stream dpher are input from dpher 
stream 14 according to the message block counter index k. Followh^g each iteration of 
step 12 the index j is incremented by one, and a test of the value of index j is qiplied at 
20 step 16 to determine whether or not the last unit of the message has been processed. 
/Where there remains message units left to process, the procedure continues to step 18 
where a test is applied to index j to determine whether or not the end of a message blodc 
has been reached. If j+1 is an integer divisor of block size b at step 18, this indicates 
that the beginning of a new message block has been reached, and the procedure continues 
25 to step 20 where the icv is incremented by the value of the non linear function y. The 
block counter index k is incremented following step 20, and the procedure passes to step 
6 wiiere the non linear function y is reset. IMiere the begimung of a message block has 
not been reached at step 18 the procedure returns to step 8, so as to perform a further 
iteration of steps 8, 12 and 16. Wben the end of the message has been reached, as 
30 indicatedby the result at step 16, the blodc counter mdexk is again i^ 

icv is totalled togedier with the final stream cipher value (step 22). Utilising this 
method allows the icv to be calculated in a serial manner, whidi is consistent with the 
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oontmuous ou^t fimn of the message stzeam and cipher stream. 

The following describes a modification of the above described integrity system^ 
to enable the effective icv size to be increased by any requixed factor h. As above, a 
S message string M = (mo, m|,...) is divided into blocks Mot M],..., M, each containing at 
most b integers. The stream cipher is used to generate h(s+2) outputs z^,, 2^2* 
2m4p^i. Then the integrity check value icv^ is defined as a sequence of h integers 
between 0 and p calculated according to: 



10 

whrae the fimcticm f is given Joy C^)* provides an icv of length hp with an effective 
icv size of 

-Ml 

Thus, for example, ifb = 20, w = 32,hs4 then the effective icv size is 

4 (32 - lo^ lO)" 110.7 

To provide both integrity and encryption the cipher stream can be used to provide input 
15 to the integrity calculation as well as output to be used for message encryption. In order 
to prevent the integrity medianism from being undermined by a known plain text attack 
it is important that dpha stream output that is used in icv calculations by the receiver 
never be used for message encryption by the sender. Otherwise a known plaintext attack 
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oomhined with altering the synchronisation of the cipher stream may succeed in making 
tlie receiver use cipher data in icv calculations which is known to an attacker. To 
overcome this problem an integer d (< b) is chosen such that only those for which i 
is a multiple of d are used in the icv calculation, the remaining 2^ being used for 
S encryption. Tliis technique is illustrated in the example below. 

Example 2: As in Example 1 let w = 32, p = 2^+15, d = 10, b = 20, M = (nio, mp..., 
™io8) ™d cipher be in state 56. To apply integrity and confidentiality the cipher is 
used to generate 121 outputs Zyj, Zg^..., z^^ and the icv is calculated as, 

iniM, 20, 2^ +15, Zj^..., z^, 
10 where the icv function is defined by (1) and (2). Hie transmitted message is 

Figure 2 illustrates a simple block diagram of an encryption and integrity system 
which may be utilised to implement the above desGribed. Message data ni| is output from 
a message source 26, which message data is passed to both an enayption processor 30 

IS and a message authentication code generator 32* A cipher stream generator 28 outputs 
stream cipher data which also passes to both the encryption processor 30 and mac 
generator 32. The encryption processor 30 acts to combine the message and cipher 
stream data so as to encrypt the message for transmission thereof. Meanwhile, the mac 
generator 32 produces an integrity check value, as described above, utilising the same 

20 message data but only one of out every d cipher stream outputs, the other d-1 cipher 
stream outputs being utilised for encryption by the enayption processor 30« The 
encrypted message m\ and the icv are passed to a transmission source 34 whereat the icv 
is appended to the encrypted message for transmission on an output 36. 

25 Ihe foregoing detailed description has been put forward morely by way of 

e3q>lanation only, and is not intended to be limiting to the invention, which is defined in 
tiie claims iqspended hereto. 
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GLOSSARY 

Z s pseudo-randoin cipher stream sequence of cipher strings z^i 

5 Z| = cipher string word of w bits (Z| is an integer in the range 1 to (2^-1)) 

Ms digital message 

s (mo» nij, m2» .—0 sequence of integer words in the range 0 to (2^-1) 

= (Mf^ M|, MJ sequence of message blocte of length bt such that 

10 message length L ^ (s+1) b, where: 

= m^, m^i 

^ = n\jj, m^i^i^ m^^i)-! 

s niiHt nWi9 ••••> x^bMc ^ ^ 0^"*^) 

15 icv = integrity check value 

t[u]=: t(modu) - 

p = 2^ + k (k small) such that p is prime 

f (N,x)= nox' + UiX^^ + n^x^^ + ... + n^ [p] 
20 = C..((no3C + nj) X + Ha) X + ... + nj X [p] 

for N = no» n2» f n, 
and integer word x 



icv (M, b, p, 25 = 

25 ' 



(f(Ma, ZO + fiCM,, Zj^O + • 
+ fi(M^ 2iJ + Zj^O IP] 
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CLAIMS: 

1. A method for generating a message authentication code for a digital message in 
a telecommunications or computer system comprising: 
S generating a sequence of pseudo random cipher strings; and 

generating a message authentication code by performing modular arithmetic to a 
prime modulus including multiplication of the digital message by a first said cipher string 
and addition of a second said cipher string. 

10 2. A method as claimed in daim 1, wherein the message comprises a sequence of 
message units which are multiplied by respective powers of said first cipher string in 
generating the message authratication code. 

3. A method as claimed in daim 1» whmin the message comprises a sequence of 
15 message blocks whidi are each multiplied by respective different first cipher strings in 

generating the message authentication code. 

4. A method as claimed in daim 2, wherein the message comprises a sequence of 
message blocks each comprismg a said sequence of message units» each sequence of 

20 message units being multiplied by respective different said first dpher strings and 
summed with said second cipher string to form the message authentication code. 

5. A method as claimed in any preceding claim wherein a plurality of message 
authentication codes arc generated for the same message but utilising different dpher 

25 strings, and the plurality of message authentication codes combined or concatenated to 
form a further message authentication code. 

6. A method for generating a message authentication code in a telecommunications 
or computer system for a digital message which comprises a sequence of message blodcs 

30 each comprising a sequence of message units, induding the steps of: 
generating a sequence of pseudo random dpher strings; 

gmerating a non-linear fimction value for eadi message block by summiqg the 
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constituent message units multiplied by respective values derived from said cipher string 
sequence; and 

generating the message authentication code by summing the non-linear fonction 
values with a said cipher string sequence value to a prime modulus. 

5 

7. A method as claimed in claim 6, wherein the message units are multiplied by 
respective powers of a said cipher string sequence value. 

8. A method as claimed in claim 6, wherein in generating each non-linear fimction 
10 value the message units are multiplied by respective powers of a said cipher stream 

sequence value, a differrat sequence value being utilised for eadi non-linear fimction 
value. 

9. A method as claimed in daim 8, wherein the cipher string sequence value 
IS summed with the non-linear function values to generate the message authentication code 

is a different sequence value from the cipher strings used to generate the non-linear 
function values. 

10. A method as claimed in any one of claims 6 to 9, wherein the non-linear function 
20 values, 1^ are generated according to: 

fiM,z) = £ m^l" (modp) 

where M is a message block comprising r message units m, (x=0,l,....,r), and 
are said cipher string sequence values. 

11. A method for generating a message authentication code in a telecommunications 
25 or computer system for a digital message M which comprises a sequence of message 

units aoi for j^O, 1, r, comprising the steps of: 

generating a sequence of pseudo random cipher strings 
detomining a non-linear fimction value f according to 
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gaierating the message authentication code Q modulus p, where p is prime, 
according to 

Q = (AMJ^ + W (inod/>) 



12. A method as claimed in claim 11, whmin the message is compc^d of a sequence 
S of message blocks which each comprise a said sequence of message units, and 
wherein the message authentication code Q, modulus p, is generated according to: 



/ ^ Zj^^i j (mod p) 

13. A method for genmting a message authentication code in a telecommunications 
or computer system for a digital message M which comprises a sequence of message 
10 units nOj for j=0, 1, r, comprising the steps of: 

generating a sequence of pseudo random cipher strings 
determining a non-linear function value f according to 

Xilf^z) « 5^ m^^ (mod p); and 

generating the message authentication code Q modulus p, where p is prime, 
according to 

<? » (m^) + z^^i) (mod p) 



15 



20 



14. A method for generating a message authentication code in a teleconununicatioDS 
or computer system for a digital message M which comprises a sequence of messa^ 
blocks for j=0, 1, s, each message blodc oomprismg a sequence of b message units 
in|k for k=0, 1, b-1, comprising the steps of: 

gcmeratmg a sequence of cipher strings 2^, zi^2 • • • 
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detennining a non-Unear function value f for each message block acoozding to 

generating the message authentication code Q modulus p, where p is prime, 
according to 

5 15. A method as claimed in claim 14» including the step of increasing the effective 
code size of the message authentication code by a factor of h by generating a modified 
message authentication code Q' according to: 

.... I Q(Af^^(*_i),^2) p) ^ 

wAere | represents concatenation. 

16. A method as claimed in any one of claims 1, 6, 11, 13 or 14 wherein the sequence 
10 of cipher string$ comprises a subset selection of cipher string values from a cipher 

stream. 

17. A method as claimed in claim 16 wherein the remaining cipher string values firom 
the cipher stream are utilised for encrypting the message and/or the message 

15 authentication code. 

18. A method for aicoding a digital message comprising gmeratii^ a sequence of 
cipher strings, generating a message authentication code according to any one of daims 
1, 6, 11, 13 ot 14, enciphering the message by combining at least one said cipher string 

20 therewith, the at least one cipher string being distinct firom the cipher strings utilised for 
generating the messag<^ autfaenticati<m code, and qypending the message authentication 
code to the enciphered message. 
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19. Appmtas for genetating a message authentication code for a digital message 

composed of a sequence of message blodcs, comprising: 

a stream cipher for generating a sequence of pseudo-random ciph» strings; and 
computation means for generating a non-linear function value for each message 
5 block by combining each message block with at least one said cipher string by way of 

modular arithmetic to a prime modulus^ and generating a message authentication code by 

summing the non-linear function values together with at least one further said dpher 

string. 

10 20. .^iparatus according to claim 19» including: 

encryption means for encrypting the message by utilising sequence values of said 
pseudo-random cipher string sequence which are distinct from the sequeoce values used 
to generate the message authentication code; and 

means for appending the message authentication code to the encrypted wygggflgp 
15 for transmission thereof. 
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